We use Cloudflare Warp at work. Honestly—and I say this as a Cloudflare fan in general—it doesn’t work well for me. I regularly have connection issues with it enabled. Video calls sometimes cut out for a couple seconds, and Tuple (which I use a lot) really struggles with it. It’s possible it’s my internet connection or something unrelated, but I don’t have any of these issues when Warp is disabled. YMMV and all that, so take this as the anecdote it is. For what it’s worth, some coworkers have similar issues, but others don’t, so maybe it’s region specific. (I live in Oregon.)
Warp is actually two products: their consumer VPN product, which is typically what's referred to as Warp, and their Zero Trust, which uses the VPN hooks to layer on Enterprise management features. Zero Trust allows companies to route particular IP ranges through various separate connections, unlike Warp which only routes through Cloudflare. It sounds like your company is routing more than internal IP traffic through Zero Trust, which may mean its going through your company connection. You can check your Split Tunnel preferences in the client to see for sure. I personally use various tools with Warp just fine.
However, it's also true that Warp / Zero Trust doesn't use the entire Cloudflare network for their termination points, only a subset of datacenter are used. So you may be getting unlucky through saturation or even just routing to the closest CF point that terminates traffic near you. You can check your "Colocation center" that's being used. In my case, despite living near Detroit and CF's datacenter there, I'm routed through Chicago, adding 40ms to any roundtrip time.
This is stuff we want to address — whether directly in our control and/or where we need to ensure others are peering with us locally to help their users.
I believe the issues with your video calls and Tuple are due to a specific issue we've recently identified. What video call software do you use?
Also, Tuple has a troubleshooting screen to see packet loss etc. Would you be willing to share the data from that screen with us? If so, you can reach out to me using my HN username at cloudflare.
Interesting, we've used Google Meet quite a lot without issue. But yes do let me know.
The main bit I'm interested in is definitely Tuple, specifically because it has a diagnostic screen (network insights?). When you have a bad experience, I'd love to know what that screen says
Tuple is what I've had the most amount of trouble with. I even contacted Tuple, thinking it was an issue on their end, but they looked at the logs and said it was most likely a VPN connectivity problem, and suggested I try it without Warp enabled, which so far has been seamless. The issues with Google Meet are pretty intermittent and uncommon—it just tends to cut out at rather inconvenient moments. :) The difficult thing about these types of tools is that the bar for what works "well" is really high; even very infrequent connectivity issues are enough to sour one's opinion of the tool.
I have the same sorts of issues on Android -- I frequently have to kill the 1.1.1.1 app because it no longer passes traffic, but it seems to work fine on other Linux systems that are not Android.
Alas not. We use it on our Linux machines with include mode and it's painful. Common domains fail to resolve at all, and can't even SSH to IP addresses on the local network. Every update seems to fix one edge case and add two more. At this point I'd rather just have a VPN and spend the buzzword budget on something else.
The Android issue is an issue, but a separate one. It seems to only happen on a few devices (including mine). What device do you use and on what version of Android?
I have a fun story about using Warp while on vacation (Bahamas). I was finding that my net traffic felt like it was slower/more variable than I'd expect with uneven speedups and slowdowns.
On a whim I installed and turned on Warp and suddenly my internet speed was both palpably faster and more consistent in its speed. I think it possible that one of the side effects of encrypting your traffic may be that it evades ISP traffic shaping.
Back when I used Visible (North American MVNO) for my phone, you could get substantially faster speeds and less latency by enabling Warp because it bypassed their traffic shaping and limited egress points, for example if you viewed Netflix without Warp you were throttled to 480p but with Warp you could easily do 1080p.
I had a similar experience. Higher resolution netflix on my T-Mobile prepaid data line with warp installed.
Additionally I did the bog standard TTL modification, installed warp and probably one or two other things I can't recall. For whatever reason those changes allowed me to tether unlimited 4G speed data rather than being throttled down to 3G after a few gigs. This was true for T-Mobile, US Mobile's "verizon" tower mvno service as well as US Mobile's "t-mobile" tower mvno service. Can't say I was upset about it.
Cloudflare recently hijacked the domain of one of their customers (RaidForums), then cloned the RaidForums login page, and ran a phishing campaign at the behest of the FBI for two weeks.
I understand that you have to comply with law enforcement, but actively attacking the users of one of your customer's websites is super rude.
It is a problem when you centralize the Internet like this though.
The more of the Internet you've got running through your service, the more appealing a target you are for not only domestic government pressure, but attempts from foreign state actors to compromise the service (through not only hacking, but espionage and blackmail as well).
I'm no fan of centralization but if you think that it makes any difference to the FBI, you're mistaken. The tiniest providers are obligated to do the exact same thing. This has nothing to do with domestic pressure.
When the FBI asked Apple to build tools to attack customers, Apple said no. Cloudflare could have just dropped RaidForums as a customer, but they went the extra mile and built tools to facilitate an attack of RF users.
I did a bit of reading on this, and it looks like the main admin was arrested weeks before the phishing campaign went up.
It seems therefore entirely plausable that the admin handed they keys to the castle to the FBI anyway, or at least gave Cloudflare the okay to go ahead.
I can't find a shred of evidence that Cloudflare were involved directly in making the phishing page or even complying with the FBI.
Also I feel like Raid Forums is a bit mis-characterized in the article. It was largely a forum for people who collect OSINT about breached websites, not really a market place, and in the years that I spent there, I never saw people selling actually carding details, like they claim in the article. I used it regularly for my day job.
We used it at a job I had and it made sense for business continuity reasons. But it is centralizing the internet and they are the gatekeepers. Not a good thing
"Your ISP looks at which websites your browsing, oh the horror! Instead trust us, as an internet behemoth bigger than any ISP in the world with that data!"
Your ISP can collect your traffic history AND trivially connect that history to your identity, and sell/provide data to brokers, TLAs, police etc.
Cloudflare can collect your traffic history, but can only connect that history to your originating IP + timestamp. Their official client may be able to collect more info though. But, warp is just wireguard, so you do not need to run their official client there are shell/python scripts floating around to get the keys / endpoint IPs setup for Warp to use with std. in-kernel wireguard.
Further, all the telcos in the US are known to have colluded in illegal NSA spying on Americans. Cloudflare has not been caught at this yet. So, you can look at it as a choice of exposing your browsing history to an entity that may be not be lying and actually is not snooping vs. telcos that are known to have lied and definitely have and are likely still snooping.
> Your ISP can collect your traffic history AND trivially connect that history to your identity, and sell/provide data to brokers, TLAs, police etc.
That's exaggerating quite a bit. Maybe in 2005 they had that sort of insight, but with HTTPS everywhere things are different. Your ISP can only see which IPs you're connecting to, possibly which hosts you're looking up depending on your setup but DNS-over-TLS and the like will put a wet blanket on that.
Cloudflare (even without warp) has a much clearer picture of your browsing habits. Not only do they see which webpages you are requesting since they're situated as a MITM between you and a significant chunk of the servers online, they do quite a lot of browser fingerprinting and tracking for bot mitigation that could, theoretically, be used to identify humans as well.
SNI is majority clear-text today, so your ISP can collect the sites you are visiting and not just their IPs even with TLS. Hopefully that changes soon.
Your point about cloudflare having even more access to your browsing details than the list of sites you have visited that your ISP can collect is a good point. It is kinda crazy how so many companies are OK with a 3rd party terminating TLS for them. And, back on the first point, most sites that do support ESNI today are behind Cloudflare (makes your point even stronger).
But, still, Cloudflare would have to be snooping on content to correlate identity (at Cloudflare scale, that means they would have to already be targeting you), while your ISP already has it.
For me personally (stuck with Verizon which is known to snoop and sell data), I prefer "trusting" Cloudflare until they are shown to be a bad actor like Verizon too.
Yes, but it's not implemented yet on any website. And there is no software support except beta versions of Chrome/Edge and you have to manually toggle flags in dev options.
My ISP has openly stated that they're selling my data for marketing purposes. If CF claims to not be doing that today, then they could at least be temporarily superior.
You have to click on one of the links to find out what this actually does in addition to Cloudflare’s 1^4 DNS server:
> Enter our own WireGuard implementation called BoringTun. The WARP application uses BoringTun to encrypt all the traffic from your device and send it directly to Cloudflare’s edge, ensuring that no one in between is snooping on what you're doing. If the site you are visiting is already a Cloudflare customer, the content is immediately sent down to your device. With WARP+ we use Argo Smart Routing to devise the shortest path through our global network of data centers to reach whomever you are talking to.
> Your Internet service provider can see every site and app you use—even if they’re encrypted. Some providers even sell this data, or use it to target you with ads.
> We believe privacy is a right. We won't sell your data, ever.
"We, the people who make up this company now, but not in the future, PROMISE."
I notice they didn't say "we don't keep the data."
According to the comments, this is just wireguard. I deployed my own on a webhost and I use that, probably to the same effect. I guess I have to trust the webhost not to go snooping in my private logs, but that's a whole lot more targeted and requires a lot more effort.
> Competition keeps people from being evil. Evil only happens when there's no reason for them to NOT do evil things.
I don’t agree. People generally don’t steal, but if they have no food, they will resort to theft to survive. Competition can prevent some ill effects of monopolistic tyranny, which I think is what you’re getting at here, but it breeds other evils.
And in time, Cloudflare will be what Google is now. Better stay away from them, so we don't end locked in, like we did with Google. They will start using their role as the internet proxy as a lever soon, prioritizing the sites they like and slowing down the sites they don't.
Well with TLS it stops (almost (1)) anyone from seeing which pages you access on a site (with exceptions(2)), but which site you visit is still accessable unless the server supports Encrypted server name indication (ESNI).
When using standard SNI (SNI is used so you can have multiple domains on the same IP address) your connection to the server is not encrypted until after the hostname of the server you are requesting is sent at which point the server knows which cert to use to encrypt the rest of the traffic. So you can pull the host header out of the pre-encrypted traffic and look at which site the user is connecting too.
1) When the webserver you are accessing uses services that terminate TLS before the origin server (Cloudflare and CloudFront to name two) then the operators of those TLS terminators might be able to see which pages on that site you visit
2) You might be able to determine which page someone is accessing via side channels, for example if example.com/naughtypage.html always returns a page of a certain size which is determinable you can presume they connected to example.com/naughtypage.html if the returning data matches that size.
They know what IPs you are connecting to and when, which is valuable. If Cloudflare serves the site you are connecting to (which is increasingly more common) they have access to all of the data you are transmitting.
Somehow I thought they meant more. I’m sure my ISP is after all of my data but I’d rather them than CF. Upon rereading their claim I suspect it is just about IPs and hostnames. I can live with that. Also my browser uses DoH.
ECH (encrypted client hello) is going to become mainstream pretty soon. But if you're doing something dodgy, hostname vs. IP is unlikely to make a difference anyway.
No, but since it's just a VPN for myself, it only has to be close to my eyeballs.
Well, actually it doesn't, since ping time is not particularly important to me, but in theory.
My webhost would be a terrible replacement for Cloudfare's main product, which maybe you're talking about, as it needs a worldwide presence. This product is a VPN for your phone.
Maybe I wasn't clear. My criticism is this: they're logging the data. That leaves the door open to bad actors in the future, whether it's the next CEO, whether it's a government, or whether it's criminals who steal the data.
Pointing out that the company will revolve is not a criticism.
I do think it's kinda funny they are trying to oust your ISP and insert themselves, as the keeper of traffic logs. Either way, I guess we're going to choose a big corporation to trust.
Lastly, I don't think your point stands, when the quote says "we won't sell your data, EVER" (my emphasis)
I’ve been a Warp+ user for some time now and I’m mostly happy.
My online privacy is important to me. I use ad blockers too in addition to cloudflare.
A couple of things I’ve noticed along the way…
1. Switching off my wi-fi network and then rejoining later used to be an issue but seems to have resolved some time ago (mobile)
2. It seems on macOS that almost every time I login I need to update the client.
3. Usually sites can’t resolve my IP and place me hundred of miles away which is fine by me. However occasionally I run across a site that has a pretty close to home read on my location. It seems sites that leverage cloudflare cdn might see a more accurate location because they are on the same network - I’m not sure how this works technically though.
I’ve never encountered a censorship situation or any website that was inaccessible. I have run into issues where steaming sites want you to turn off VPN but this isn’t consistent. I also run into issues occasionally when jumping on a hotel wi-fi or like a Lowes or Home Depot where they want you to agree to terms and likely want to snoop your traffic.
Biggest pain points with Warp for me are lately, due to all the abuse by scrapers and such, quite a few sites just throw a 403 when I try to connect to them through Warp including my bank-- consider yourself lucky that you haven't been affected yet. And, most of the time, if I try to use Google search, I just get,
"Our systems have detected unusual traffic from your computer network. This page checks to see if it's really you sending the requests, and not a robot."
And, then I am encouraged to enable js so google can provide me a series of captchas to solve.
It used to work better than a VPN terminating at my own VPS, but now Warp netblocks appear to have a worse reputation than even a colocrossing/low-end box vps.
Per Cloudflare's FAQ, sites behind cloudflare see your original IP, other sites do not yet:
I've seen this too but not in a while. I'm hoping they can combine their bot detection token attestation feature with Warp to guarantee my real traffic is separated from bot traffic before it leaves their network.
Cloudflare Warp is not meant for anonymity. If you're using the free tier (and maybe the plus tier too?), websites behind Cloudflare are able to see your origin IP.
They've recently improved their geolocation capability while preserving privacy. In addition, they add an origin IP header to outgoing HTTP requests to help origins deal with geolocation, but not all origins parse it.
I love little things like this. It's fun to do something either by accident or with whimsy, thinking about the ridiculousness, and then find out something actually happens!
How would you candidly compare guarantees/expectations of Mullvad VPN vs your Cloudflare Warp VPN with respect to:
- privacy, but also
- performance.
As a side note, I really value using a certain popular torrent box VM service for $10/mo is that they provide SSH and OpenVPN. I’ve used that VPN a lot when I worked in GCC countries (Saudi Arabia, UAE, Bahrain) to help me get around national HTTP blocklists. Most every other VPN I tried was blocked, or would get blocked after a certain # of GB sent in a certain timespan. I think the torrent box servers were located in minor data centers which weren’t on their list of “high potential risk” so they bypassed the otherwise pretty thorough blocks.
The server I used was also located in the United States which helped a ton with proper localization and accessing my bank accounts/etc which were otherwise sometimes more difficult to use from other countries.
Potentially just ignorance, I’m aware of wirefuard and I use their client for my MacBooks but I haven’t taken time to investigate any of the differences, pros, or cons. Will do that now, thank you for prompting me!
I use Cloudflare WARP for my home and smartphone and laptop. I really, really like the content policies I can configure. Getting the combo of VPN + DNS content filtering is really nice. I use it for blocking myself from accessing pornography and their security and deceptive website categories have been useful.
The interface for configuring the content policies is really easy to use too.
I also really like the browser isolation feature too - I use it to access links from emails I feel suspicious about.
Well. I hear you. But, is it really centralization if we are adding one more ‘super node’ as we seem to be doing in this case?
I am all for even more big companies having even bigger networks. As long as they cannot stop new players from emerging and getting bigger, these centralization vs distributed trade offs are largely academic.
IMHO, it comes down to the economic structure of peering in the US (as I understand it? And not sure globally?).
Tl;dr: You have negotiating power based on the number of end clients you connect to the network.
And connectivity is an extremely high capital, low margin, and predatory industry.
Consequently, "build useful services, that cause more people to connect through you, that then allows you to favorably peer and lower your costs" is Cloudflare's strategic business model.
So yes, they would very much like the entire Internet to run through them. Or more accurately, terminate to their customers.
I suspect the 5 eye countries don't have to pay a dime and have complete access to traffic and records on it. Hence everyone pushing encryption to at least make it a bit harder for them.
Same reason as they offer free TLS termination. Someone is paying for all of that unencrypted and/or de-anonymized traffic across an increasingly
large portion of all internet activity.
PRISM and FISA/FAA. 15 years ago every telecom and internet company was providing backdoor access to communications. What makes you think that somehow that has changed? US laws sure haven't and the technology has only improved.
I believe it's simply a statement that you can't take the converse of. If something is free, then the company providing it must get some benefit from it. You can't flip that around in very many cases.
Can anyone explain how Cloudflare got the 1.1.1.1 domain? I know they are an influential company that controls a large portion of the internet, but I'm still confused. Is it an IP or a name that gets matched to an IP?
"APNIC's research group held the IP addresses 1.1.1.1 and 1.0.0.1. While the addresses were valid, so many people had entered them into various random systems that they were continuously overwhelmed by a flood of garbage traffic. APNIC wanted to study this garbage traffic but any time they'd tried to announce the IPs, the flood would overwhelm any conventional network."
> Upon the expiration of the initial period, or at any time thereafter, APNIC shall consider a request by Cloudflare for a permanent allocation of these IPv4 addresses to Cloudflare. APNIC undertakes to refer any such request to the regional Address Policy Special Interest Group as a matter of a change to the current research use designation of these IPv4 addresses, and APNIC shall be bound to the outcomes of this policy group.
Looks like Cloudflare are about to make a sizable "donation" to APNIC.
Most of the time the fastest way to any given site is to avoid unnecessary network hops.
Now maybe CF have a more efficient route here or there but really I can’t believe that for most people it’ll be faster.
As for security or privacy I can’t imagine they’re much safer than browsing most HTTPS sites directly. There’s nothing to say they’ll be able to resist a secret US government subpoena for records either.
You'd be surprised at the poor path that the average packet takes. Cloudflare has lots of PoPs that are very close to major cities so it is very conceivable that if that brings you to a higher quality backbone it would result in better performance overall. I don't know about the quality of Cloudflare's backbone but at Google you could definitely get noticeably better performance by quickly getting into the Google backbone and popping back onto the internet near your destination.
Yes, they maintain prioritized links between their datacenters, many of which are fully private. However, the Warp free plan simply bounces to the nearest CF datacenter which participates in Warp (not all of their centers do) and then back into the public internet, though it's through their massive pipe. Warp+ uses their Argo routing through their private backbone to get you as close to the origin as possible within the Warp network.
The only real advantage I see is that it could be useful in coffee shops and hiding your connections from your computer->isp->cloudflare. isp can't see your traffic and headers other than that the encrypted pipe has been created between you and cloudflare "vpn"
WARP was built on the philosophy that even people who don’t know what “VPN” stands for should be able to still easily get the protection a VPN offers. For those of us unfortunately very familiar with traditional corporate VPNs, something better was needed. Enter our own WireGuard implementation called BoringTun.
The WARP application uses BoringTun to encrypt all the traffic from your device and send it directly to Cloudflare’s edge, ensuring that no one in between is snooping on what you're doing.
> In a number of cases, if the origin site you are communicating with cannot determine who you are and where you are from, it cannot serve locale-relevant content to you (that is, anything related to a customized user experience, such as language or regional configurations). Sites inside Cloudflare’s network are able to see this information. If a site is showing you your IP address, chances are they are in our network. Most sites outside our network, however, are unable to see this information and instead see the nearest egress server to their server. We are working to see if in the future we can find a way to more easily share this information with a limited number of sites outside Cloudflare’s network, where it is relevant to both parties.
Given that Cloudflare has recently announced that a site’s operators promoting doxxing is an acceptable use of that same Cloudflare network (their backtracking on grounds of imminent threats to human life in one situation does not make this any less their policy), I cannot in good conscience promote Warp to anyone.
It overlaps a VPN but it is not a traditional "hide-my-ass" one that hides your IP from the destination address, warp will send along your IP info in headers to the destination if it's someone who uses cloudflare services.
Cloudflare is shoving Warp down any open throat they see. It's really annoying. I recently did some sales calls with them and they really want everyone using Warp.
I'm sure that the traffic analysis it unlocks for them is incredibly valuable. But I'll never use this.
(I had this issue, not sure if its fixed now or I was doing something wrong)
I'm not sure if its related, but I had some DNS resolution when I switched on WARP. I know that 1.1.1.1 is DNS over SSL, some ISP don't like that? I don't remember which applications had issues(guessing it might be steam client, I could be wrong)
Also, never noticed a significant gain in network speed or reliability either. I don't use it anymore, but will give it a try again.
So, are they already blocking access to the parts of the Internet that they consider to be too dangerous for people to be allowed to visit? Or how long would it be till they start to?
Double clicking the background apparently toggles the dark mode. Because you know, people love toggling dark mode on and off and web sites must make it so much easier even at the cost of overriding default behaviors.
> We believe privacy is a right. We won't sell your data, ever.
There’s no reason to believe this. This is the same company that publicly stated their principled position relating to the culture of free speech and then flip-flopped not even 3 days later.
It’s not about that issue but rather that this company has lost credibility and should not be trusted with any promises. Keep at arms length.
Yeah I wondered about this myself. Who checks "terms of service" every week to make sure they haven't changed on every service they use? At least if you use a VPN you know you'd likely hear about it everywhere in tech news, and that VPN knows that it's a death blow.
warp seems to stabilize my connection and 3x the download speed since I have 8% packet loss typically. I'm somewhat of an edge case though since this level of packet loss isn't normal.
Probably. As far as I know, the Apple Relay only works in the browser. So your torrent clients and other apps can still bypass it and directly access their servers. Warp+ is a VPN.
They have no obligation, legally or otherwise, to host content they don't agree with. That isn't censoring. Are you censoring them for telling them what they can or can't do with their servers? You choose who you let in your house and if they say things which demean yourself, family, ie, associates, then like anyone I'm sure you might tell them you don't want to host them. If you're a store owner you have a right to tell someone to leave if they're denigrating other customers, ie, their desire, perhaps some might say right, to shop without harassment. I don't know why the obvious keeps having to be explained here.
They have terminated service for 8chan, The Daily Stormer, and KiwiFarms. I'll leave it up to you to determine how fair of a description "censored" is.
Even though those three website are filth, they have objectively been censored by Cloudflare. What's the confusion here? Just be honest about it and say Cloudflare censors content they don't agree with. Why the tiptoeing around this fact?
I think you are making statements that are stronger than reality.
Cloudflare censors content they don't agree with? I would guess they actually protect a huge volume of content they don't agree with.
And I don't think they have suppressed those sites or gone out of their way to take action against those sites beyond terminating Cloudflare protections. So, to me at least, that doesn't rise to the definition of "censorship".
Just because you state it is a fact doesn't actually make it factual.
Sure, you can roll with this definition of 'censored', but it makes the term almost meaningless.
Would you describe HN as a "censored" forum because they engage in moderation? Even 4chan doesn't allow child porn, would it also be accurately described as censored?
Generally, when we refer to a platform as 'censored' we do so for much stronger reasons than "they've banned a few users/customers in the past".
I'm not that worried since those sites received tons of bad press (for good reason) and were hives of scum and villainy. My main reason is they don't hide your source IP in all cases or provide actual region hiding either. It's a false sense of security.
There was a recent controversy where an activist named "Keffals" posted something violent and threatening on KiwiFarms about herself, screenshotted and deleted it (it's not clear to me whether she deleted the post or if it was removed, however I know her account was banned), and then used the screenshot to lobby CloudFlare to take down the site. After this became known CloudFlare has held steady in their commitment to not allow the site back up.
That said it's not an especially nice site, however where CloudFlare has removed sites in the past they've slowly been censoring less and less radical sites, which has people concerned since it's a "backbone of the internet" type service. Ironically CloudFlare made a blog post a few days before banning KiwiFarms expressing this exact sentiment before doubling back on it https://archive.ph/gJXgF
>There was a recent controversy where an activist named "Keffals" posted something violent and threatening on KiwiFarms about herself, screenshotted and deleted it
There is not a citation big enough for this holy shit
>That said it's not an especially nice site
It's a site that encourages people to literally commit suicide. But you seem to have an agenda in your comment
People who spread hatred and intentionally cause real-world harm to others shouldn't be supported and enabled by private companies I deal with. If they continue to do so, they'll lose me as a customer.
I don’t want infrastructure providers to play law enforcement. If they would have had received a court order and acted afterwards, I’d be okay with their decision. But kicking customers for marketing? Meh.
So, they did it due to commercial reasons, not legal reasons? I assume they judged the commercial repercussions and decided keeping the content was a negative. Why do you think they should host it anyway?
When it's a site trying to get people to kill people over the color of their skin and suicide themselves over being LGBQT, I don't have a problem with a private business saying they won't do business with you. There are plenty of other providers that will. I would be bothered by the government making a company do it however.
